3

For JavaScript libraries such as jQuery or YUI3, either Google or Yahoo are hosting the scripts on their CDN, and a YUI 3 Cookbook paragraph says:

perhaps your pages use SSL, in which case loading remote resources is a bad idea, as it exposes your users’ secure information to the remote site

I can only see that the CDN site must be well trusted, or else malicious JavaScript can be running on www.mycompany.com's webpages. But assuming the CDN sites (Google and Yahoo) are well trusted, why would an SSL webpage not want to include those JavaScript library on a CDN -- how can it "expose your users' secure information to the remote site" as described in the book?

nonopolarity
  • 146,324
  • 131
  • 460
  • 740

3 Answers3

2

Loading external Javascript libraries via SSL onto an encrypted webpage can be seen as betraying a user's trust, as the information the user provides to the website is no longer, theoretically, between just them and the secure website. Furthermore, in the event of an external library becoming compromised, the information passed to the website itself could be compromised as well.

Ryan Grove, a YUI3 developer, has elaborated upon this in detail here.

In short,

[...] you’re letting FooCo execute any JavaScript it wants on your website. You’re loading that JavaScript securely over SSL, so the browser isn’t displaying any scary warnings, but now your users aren’t just communicating with buygadgets.example.com. Now they’re also communicating with cdn.foolib.com, and since cdn.foolib.com can run JavaScript on your pages, they can also see any information the user reads or enters on those pages.

Of course, whether or not you decide to pull external executable code over SSL is relative to how important security is to your particular use case, and there are varying opinions on this subject..

Ryan Stein
  • 7,930
  • 3
  • 24
  • 38
  • This effectively means all sites that use `https://ssl.google-analytics.com/ga.js` are breaking the trust – icc97 Jul 24 '15 at 11:53
  • This is FUD and total nonsense. We can absolutely trust JS loaded from `https://ssl.google-analytics.com/ga.js`, and the `//ajax.googleapis.com/ajax/libs` CDN. Your own website is a million times more likely to be hacked than one of those libraries being compromised. – ndbroadbent May 23 '16 at 09:58
1

It depends if the CDN has a secure version of the resource you're requesting. Google seems to be better at this than Yahoo! from what I've seen.

You can use protocol-less references to CDN resources like below:

Works from http or https:

<script type="text/javascript"
    src="//ajax.googleapis.com/ajax/libs/jquery/1.8.3/jquery.min.js"></script>

Works from http only:

<link rel="stylesheet"
    type="text/css"
    href="//yui.yahooapis.com/3.8.0/build/cssreset/cssreset-min.css" />

You can also do conditional loading of scripts from a CDN and fall back to local versions:

<script src="//ajax.googleapis.com/ajax/libs/jqueryui/1.8.14/jquery-ui.min.js">
</script>
<script>
    !window.jQuery.ui && document.write(            
    unescape('%3Cscript src="/scripts/jquery-ui-1.8.14.min.js"%3E%3C/script%3E'))
</script>
hunter
  • 62,308
  • 19
  • 113
  • 113
  • what if the CDN doesn't have an https link for it, then will it just be not possible to load it, or can the webpage load it, but just that "some secure user info can be exposed"? (but how?) – nonopolarity Dec 20 '12 at 20:31
0

It means the continent on your website is both from a secured server and from an insecure server. Furthermore it's possible to send data to a secured and unsecured server (cdn site). It really is a means to secure your site, if you are suing SSL then it stands to reason to serve all your resources with SSL as well.

Having said all this most CDNs can serve these resources through a SSL connection (including google).

ramsinb
  • 1,985
  • 12
  • 17